Access & Roles

Question 1

What is Authentication?

Answer 1

• Demonstration that you are who you say you are

- The user must prove his/her identity to the server by providing a username and password

Question 2

What is Authorization?

Answer 2

• Now that the user is trusted, this determines what you can do as a result
• Server determines if a client has access to utilize a resource or perform a specific job/task

Question 3

What are Authentication Methods available in Splunk?

Answer 3

• Native Splunk Accounts
• LDAP
• SAML
• Scripted Authentication

Question 4

If there are SSO or SAML problems, if they are configured, how do login?

Answer 4

Add to the login URI:

?login_type=splunk

Question 5

Where are Splunk’s internal Authentication placed?

Answer 5

$SPLUNK_HOME/etc/passwd

Question 6

What Authentication method always takes precedence when multiple methods are configured?

Answer 6

Splunk “internal”

Question 7

What is the most common authentication method?

Answer 7

LDAP with AD

Question 8

In LDAP, what is a DC?

Answer 8

Domain Component

ex. dc=splunk, dc=com

Question 9

In LDAP, what is a OU?

Answer 9

Organizational Unit

ex. ou=people, dc=splunk, dc=com

Question 10

In LDAP, what is a CN?

Answer 10

Common Name

ex.cn: Peter Gibbons

Question 11

What can you ask for from a system administrator to help with configuring Splunk with LDAP?

Answer 11

LDAP Data Interchange Format(LDIF)

This will allow you to review all of the attribute/value pairs associated with each and more identify things such as the “Base DN for users” and the “Base DN for groups”

Question 12

How does authorization work in Splunk?

Answer 12

• In order for a user to login they must have a User Account and A ROLE assigned.
• Cannot assign Access/Capabilities to a user. They must be assigned to Roles.
• Roles can only Assign Capabilites, Not Remove them.
• Rest API Data Access Query
  https: //host:port/services/authorization/roles/admin
• To faithfully restrict access to data it must be in its own index, and restricted from there. Search time obfuscation can be subverted
• Create separate indexes for data with diffferent classifications, and User access levels
• Default User Role has access to all Non-Internal indexes

Question 13

Can Splunk use multiple LDAP servers?

Answer 13

Yes, and as soon as Splunk locates a user on the server, it stops searching.

Search order is determined by the Connection order field..

If the user also has credentials on a server later in the search order, those credentials are ignored.

Question 14

What are some LDAP tools to help you?

Answer 14

GUI Apps:

• Apache Directory Studio
• Softerra LDAP Vrowser
• ASDI Edit

Linux CLI:
-ldapsearch

Question 15

If SSO is configured, which does Splunk handle, Authentication or Authorization?

Answer 15

Authorization

Question 16

What is a user?

Answer 16

A persona (individual or shared)

Not always a single -person, might be a shared credential like the base admin user

Question 17

What is Role?

Answer 17

a collection of permissions and capabilities

A role is a handle for linking together access rights and capabilities

Cannot assign access/capabiltiies to a user. These must be assigned to roles. If a particular individual needs a specific capability or access, then a role must be created for that user, making it a role of one.

Question 18

What are Capabilities?

Answer 18

user actions associated with roles

Capabilities define what the members of a role can do.

Notable examples include the ability to run a real time search.

Applications can extend the base capability.

Question 19

Can you disable capabilities inherited from parent roles?

Answer 19

No

Question 20

Roles define Search limits how?

Answer 20

How wide a search (time) can be used

How many concurrent searches running

How much disk space can be consumed by search artifacts.

Question 21

What is role inheritance?

Answer 21

As a rule, members of multiple roles inherit properties from the role with the broadest permissions.

Question 22

How do users inherit search filter restrictions?

Answer 22

The filters are all combined and thus the restrictions for each are applied.

Question 23

How do users inherit allowed indexes?

Answer 23

The user is given the highest level of access granted to any role to which they are assigned.

Question 24

How do users inherit capabilities?

Answer 24

The user is given the highest level of abilities granted to any role to which they are assigned.

Question 25

What is the srchIndexesDefault setting?

Answer 25

A list of indexes to search when no index is specified.

Question 26

What is the srchIndexesAllowed setting?

Answer 26

A list of indexes a role is allowed to search.